Warning! Do not download before hiding your IP with a VPN!
Your IP Address is .   Location is
Your Internet Provider can see what you are downloading!  Hide your IP ADDRESS with a VPN!
We strongly recommend using Trust.Zone VPN to hide yourself on the Internet. It's FREE!
Hide me now!
Releaselog

Princeton study: Disk encryption not safe

Researchers with Princeton University and the Electronic Frontier Foundation have found a flaw that renders disk encryption systems useless if an intruder has physical access to your computer — say in the case of a stolen laptop or when a computer is left unattended on a desktop in sleep mode or while displaying a password prompt screen. The attack takes only a few minutes to conduct and uses the disk encryption key that’s stored in the computer’s RAM. The attack works because content as well as encryption keys stored in RAM linger in the system, even after the machine is powered off, enabling an attacker to use the key to collect any content still in RAM after reapplying power to the machine.

“We’ve broken disk encryption products in exactly the case when they seem to be most important these days: laptops that contain sensitive corporate data or personal information about business customers,” said J. Alex Halderman, one of the researchers, in a press release. “Unlike many security problems, this isn’t a minor flaw; it is a fundamental limitation in the way these systems were designed.” The researchers successfully performed the attack on several disk encryption systems — Apple’s FileVault, Microsoft’s BitLocker, as well as TrueCrypt and dm-crypt — but said they have no reason to believe it won’t work on other disk encryption systems as well, since they all share similar architectures. They released a paper about their work as well as a video demonstration (available at YouTube) of the attack.

Source: Wired 

Comments

Feel free to post your Princeton study: Disk encryption not safe torrent, subtitles, samples, free download, quality, NFO, rapidshare, depositfiles, uploaded.net, rapidgator, filefactory, netload, crack, serial, keygen, requirements or whatever-related comments here. Don't be rude (permban), use only English, don't go offtopic and read FAQ before asking a question. Owners of this website aren't responsible for content of comments.
  1. dublitze
    February 22nd, 2008 | 09:48

    i finally understood it with the help of the youtube video ;)

  2. Ted
    February 22nd, 2008 | 09:54

    Well that’s messed up, because I recently got paid to set up an encryption system for a network of PC’s owned by a criminal!

  3. yes
    February 22nd, 2008 | 10:00

    “The attack works because content as well as encryption keys stored in RAM linger in the system, even after the machine is powered off,”… A quick check in the swapfile? If thats the case, old news.

    Change ClearPageFileAtShutdow to 1 in registry should work.

  4. MikeH
    February 22nd, 2008 | 10:13

    @3
    No, not the swapfile (which itself would be encrypted!) but the RAM itself. Watch the vid.

  5. Mike
    February 22nd, 2008 | 10:26

    Well I never knew you could freeze ram like that, if thats what they’re doing, also never knew stuff lasted that long without freezing.

  6. john k
    February 22nd, 2008 | 10:45

    may be a stupid question but would this also work on hardware encrypted drives. Like the seagate FDE drive

  7. hirmu
    February 22nd, 2008 | 10:52

    MacBook Air is safe from the Princeton attack: http://radian.org/notebook/fashionable-crypto

    HA! Take that PC lovers!

  8. zookeeper525
    February 22nd, 2008 | 10:53

    lol OMG they r going 2 get a password 2 a porn site and myspace and aim omfg i will not be able 2 live after this

  9. user
    February 22nd, 2008 | 11:07

    zookeeper you petty soul, you’re obviously not a target for this kind of technique, as your life holds no importance to anyone.

  10. HigherIQ
    February 22nd, 2008 | 11:26

    @hirmu
    if you actually read that page it says “highly-resistant to the troublesome Princeton attack.”. It does not say it is immune to it… just highly resistant to it.
    Also, the airbook isn’t that powerful for the needs of most, so anybody needing real encryption wouldn’t be using it in the first place lol.
    There is a reason why clandestine organizations don’t use Macs. Get with the program. However they are nice for just surfing the net and other simpler tasks.

  11. FUDLOG.NET
    February 22nd, 2008 | 11:34

    Way to go Martin, first causing FUD about bogus ISP filtering laws and now this. If you weren’t a freakin’ 15 year old who grew up with consoles instead of real computers you would have known that data remaining in memory long after a system was shut down is nothing new and has been known for decades.

    Move along people, nothing to see here.

  12. I.C.Wiener
    February 22nd, 2008 | 12:14

    I guess it will take some time till mom figures out how it works. So my p0rn is still save :)

  13. friendlyInfo
    February 22nd, 2008 | 13:13

    Lets investigate 3 possible ways this might happen.

    1. Left powered off on a table and then stolen.
    2. Left power on or in sleep mode on a table and then stolen.
    3. Ripped from your hands on the street.

    1. They have 2 minutes TOPS to observe the owner walking away and then to run that thing somewhere to get your data. Most likely don’t have time. Most laptops run so enormously hot, you actually have 50 seconds or so.
    2. You deserve to lose data.
    3. Robber has 2 minutes TOPS to recover data. Most laptops run so enormously hot, you actually have 50 seconds or so.

    This is the most obscure security warning I ever heard. I do not feel any less safe knowing this information. In fact, it borders on miss-information. Yes it’s true RAM may still hold remnants of data after power off, but in the real world, the laptop would run hot, causing the data to last merely seconds. So in essence, data is lost when powering off, period. The university folks were able to only pull this off in ideal conditions. i.e. computer was powered off in front of the “attacker”.

  14. Murrey
    February 22nd, 2008 | 13:14

    Sounds way more serious then it should i think. The (nice) youtube video explains clearly that the memory fades within roughly 2 minutes (which “FUDLOG.NET” calls a long time :) ) after shutoff, which is save enough for me.

    If your data is that important that someone would jump your computer right after you look away then:

    1. Always use shutoff, never sleepmode or standby.
    2. Get some program that wipes your memory. (I guess that would require a restart of the computer!?)

  15. 2c worth
    February 22nd, 2008 | 13:26

    Don’t forget that Vista uses hibernation & standby as preferred states to powering off, and these functions are used even more so on laptops than desktops.

  16. favor
    February 22nd, 2008 | 14:20

    @14 2 minutes is not safe, because attacker can power on the computer, power off, copy ram, find key

  17. SAS
    February 22nd, 2008 | 15:04

    If you shutdown propelly truecrypt and possibly other programs will wipe the key in memory. this attack is based on getting on or sleep mode computer and interupting power and quick look on ram.

  18. blah
    February 22nd, 2008 | 15:23

    From the TrueCrypt documentation, section Unencrypted Data in RAM (chapter Security Precautions):

    ——————————————————————————–

    Unencrypted Data in RAM

    It is important to note that TrueCrypt is disk encryption software, which encrypts only disks, not RAM (memory).

    Keep in mind that most programs do not clear the memory area (buffers) in which they store unencrypted (portions of) files they load from a TrueCrypt volume. This means that after you exit such a program, unencrypted data it worked with may remain in memory (RAM) until the computer is turned off (and, according to some researchers, even for some time after the power is turned off). Also note that if you open a file stored on a TrueCrypt volume, for example, in a text editor and then force dismount on the TrueCrypt volume, then the file will remain unencrypted in the area of memory (RAM) used by (allocated to) the text editor. This applies to forced auto-dismount as well.

    Inherently, unencrypted master keys have to be stored in RAM as well. When a TrueCrypt volume is dismounted, TrueCrypt erases its master keys (stored in RAM). When the computer is cleanly restarted, all TrueCrypt volumes are automatically dismounted (thus, all master keys stored in RAM are erased by the TrueCrypt driver). However, when the computer is reset (not cleanly restarted), when the system crashes, or when power supply is abruptly interrupted, the TrueCrypt driver stops running and therefore cannot erase any keys.

  19. john
    February 22nd, 2008 | 15:25

    no real big surprise here. even military class encryption is vulnerable, so what can you expect from a comercial version of encryption.

    there are already solutions to decrypt entire hdd. and you do not need the ram, you are not under the pressure of time.

    nothing is safe. anyway the most unsafe compenent of a system is the human one.

  20. A2DAK
    February 22nd, 2008 | 15:27

    this wouldn’t work on hardware implementations of disk encryption

  21. Nils
    February 22nd, 2008 | 16:32

    A2DAK, the key for the encryption has to be stored anywhere, or no encryption can happen. And if it is stored, it can be read. To be safe, always turn the device of.

  22. rohit
    February 22nd, 2008 | 17:06

    it’l’ be a very nice product

  23. rohit
    February 22nd, 2008 | 17:14

    gyfjkgfhmjh

  24. rohit
    February 22nd, 2008 | 17:18

    gyjhfg

  25. rohit
    February 22nd, 2008 | 17:19

    hjhjfgjfgjhfgjh yhj gjjfj fgj fg j

  26. .:.
    February 22nd, 2008 | 17:20

    If you watch the Video then READ about it, it explains that, in the case of “truecrypt”, you follow the INSTRUCTIONs and shutdown cleanly then it NOT a feasable attack…

    read “SAS” comment then go look at the truecrypt forums.

    the answer is 6 ;)

  27. .:.
    February 22nd, 2008 | 17:24

    UPDATE:

    If you don’t see any copies of the pattern, possible explanations include (1) you have ECC (error-correcting) RAM, which the BIOS clears at boot; (2) your BIOS clears RAM at boot for another reason (try disabling the memory test or enabling “Quick Boot” mode); (3) your RAM’s retention time is too short to be noticeable at normal temperatures. In any case, your computer might still be vulnerable — an attacker could cool the RAM so that the data takes longer to decay and/or transfer the memory modules to a computer that doesn’t clear RAM at boot and read them there.

    link : http://citp.princeton.edu/memory/exp/

  28. Ruff McGruff
    February 22nd, 2008 | 17:42

    truecrypt FTW, it does wat it says. more than enough security for a lot of people. and if there is information which is THAT THAT important, dont freakin carry it around in ur damn laptop.

  29. (O)fer
    February 22nd, 2008 | 17:49

    did they tried this on SECUSTAR products??? its the best disk encryption soft… no shts like truecrypt or other

  30. SupeS
    February 22nd, 2008 | 18:55

    NO Harddisk anymore Flashmemory is the future

  31. Atlas
    February 22nd, 2008 | 20:35

    someone who has sensitive data should not be walking down the street with a laptop turned on. This person needs to find a secure location to access from and never leave the laptop even for a minute. Similarly, you could find out their passwords with keyloggers (unless they are using keyfiles) but then what kind of person savvy enough to set up encryption would not know how to run an AV and firewall and not d/l pr0n exe’s?

    This is a wake up call not to be too overconfident in encryption systems. Amen to that. I keep my truecrypt partition on a usb key and find that the fact that it is not always attached makes it more secure.
    cheers

  32. hikaricore
    February 22nd, 2008 | 20:54

    no sh*t sherlock

  33. didijeeeke
    February 22nd, 2008 | 22:58

    Some1 could break into a datacenter and actualy steal infromation using this methode.
    Normaly even if you manage to break in into a datacenter and steal a hard disk. You still have nothing. But using this methode you are able to get the key without any problem. Normaly a secure server is completly locked out even when you have direct acces. Bios is locked out and hard disks are encrypted. On a very secure server this would be a easy way to get the information.

  34. Edd Miles
    February 22nd, 2008 | 23:25

    @7 that article is wrong. Whilst having the ram soldered onto the mobo makes it virtually impossible to use the attack by removing the ram, it has no protection against booting off an external HDD (If the mac air supports that? Don’t know!) and stealing the data from Ram that way. Requires more time, but is no more secure that the solution being mooted on the truecrypt forums (namely gluing your ram in place [using a glue that can be removed of course, but as long as you pick one that requires heat and to remove it you'd be just as secure!])

    @29 it will most probably work. This is not a flaw in the way any encryption software works (With the possible exception of bitlocker which is apparently extra vulnerable) but is rather a problem with the way the hardware the system is built on runs.

    @31 Damn straight. If you are *that* worried about someone using this attack on you, you should have far superior protection methods than just encryption!

  35. ireshine
    February 23rd, 2008 | 02:21

    how did they dump the RAM to the hard disk?
    “whats the name of the program” and how do you dump the memory under windows, if its not log out? (freeware,not winhex by x-ways)

    And if criminal does steel your laptop/PC and finds it encrypted or password protect , in most cases they format the hard drive and try to sale it as fast as possible.

Leave a reply